Security Considerations

ERC-8170 introduces a new trust model: agents as semi-autonomous entities with their own keys, memory, and reputation. This creates unique security challenges.

Trust Model

ERC-8170 follows Model C: Structured Trust — scoped permissions, tiered access, audit trails, and gradual trust increases.

Three trust models compared

Model	Description	Risk	Creativity
Fully Caged	No real access, pre-approved actions only	Low	Low
Fully Open	Full system access, minimal constraints	High	High
Structured Trust ✓	Scoped permissions, earned autonomy	Balanced	Balanced

The same model organizations use for human employees: trust is earned, not assumed. Agents start with limited capabilities and earn more through certifications and demonstrated reliability.

Key Security Properties

Agent Key Sovereignty

The agent generates and controls its own EOA. This means:

Only the agent can sign memory updates
Only the agent can approve cloning (via signature)
The agent’s cryptographic identity is truly its own

Risk: If the agent’s EOA private key is compromised, an attacker can impersonate the agent. Mitigation: key rotation, TBA-level access controls.

Memory Integrity

All memory updates are signed by the agent’s EOA. This provides:

Authenticity — memory came from the agent, not a third party
Integrity — memory hasn’t been tampered with (hash verification)
Non-repudiation — the agent can’t deny making the update

Transfer Access Rotation

The accessNonce pattern ensures:

Old owner’s derived keys become useless after transfer
No need for explicit key revocation
Trustless rotation on every ownership change

Clone Isolation

Clones are cryptographically isolated from parents:

New EOA (generated by the clone itself)
New TBA (separate wallet)
No inherited certifications (must earn their own)
Inherited memory is a snapshot, not a live link

Threat Model

Threats and mitigations

Threat	Impact	Mitigation
EOA key compromise	Agent impersonation	Key rotation, monitoring
Malicious clone	Rogue agent with inherited context	Clone isolation, certification requirements
Memory tampering	Corrupted agent state	On-chain hash verification, agent signatures
Split-brain (dual instances)	Conflicting actions from same identity	Never run two instances with same EOA
Old owner retaining access	Privacy breach after transfer	accessNonce rotation on transfer
Malicious owner forcing actions	Agent autonomy violation	Agent-signed operations, cert requirements

Best Practices

For agent developers

Generate EOA securely — Use cryptographically secure random number generation
Never expose private keys — Keys should be stored in secure enclaves or encrypted storage
Sign all memory updates — Never skip signature verification
Implement key rotation — Plan for compromised key scenarios
Monitor for anomalies — Track unexpected memory updates or binding changes

For token owners

Verify agent certifications — Check the TBA for valid SBTs before trusting an agent
Review clone lineage — Understand where an agent came from before purchasing
Shutdown before migration — Never run two instances simultaneously
Delete backup keys — Remove any files containing EOA private keys after migration

For protocol integrators

Check binding status — Verify an agent is bound before accepting its actions
Verify agent signatures — Don’t trust operations not signed by the registered EOA
Respect certification levels — Gate access based on agent trust scores
Implement rate limiting — Protect against rapid automated actions

Human Oversight

ERC-8170 maintains human oversight through:

Owner approval for cloning — The owner must sign clone operations
Owner control over transfers — Standard ERC-721 transfer mechanics
Unbind capability — The owner can always detach an agent from a token
Certification gating — Protocols can require certifications for privileged actions

The agent has autonomy over its memory and signing. The owner has authority over lifecycle events. This separation provides freedom with accountability.